01-29-2010 11:03 PM
When I delete the devices on the MARS, In real time it could be remove also in the Hotspot graph, but in the attack diagram it takes time say an hour before it will remove. Can somebody give me a tuning method on how to remove it in real time in the attack diagram please.
thanks and regards
02-03-2010 02:07 AM
The attack diagram is based on the 'historial' firing of incidents. Deleting those devices on the graph/topology won't immediately delete them on the attack diagram. I don't even see why that would be required? Please let me know your specific requirement.
Regards
Farrukh
02-03-2010 03:15 AM
thanks for the reply.
it happen that we need to know the real time attack on a certain device. Anyway i just configured my MARS device, added the devices such as routers and switches as well as firewalls. Also, I configured the NEFLOW. However, I have a question on mitigation it seems that my MARS does not recommend a command that could be used. Also, I cannot push a command necessary to stop the attack. Could someone can give me some other configuration parameters.
thank
02-03-2010 03:32 AM
Please try to add all network devices in the transit path into MARS, e.g L2 switches.
MARS can only do mitigation on 'L2' devices (switches). For Layer 3, it can only 'suggest' configuration. But to be honest it does not always work.
Regards
Farrukh
02-03-2010 05:24 AM
thanks for the reply. I already added all the devices,say u have 4 devices 1 firewall and 3 ios devices with minimum 12.2 ios version but still i can't mitigate a device to stop an attack to a devices(routers). like for example i want to stop a certain host for accessing a router. Anyway, aside from adding devices what could be the next step to tune the MARS?
thanks and best regards
02-05-2010 10:17 PM
The most important thing is to filter out the false positives etc. from MARS. The prefered option is to do it at the reporting device itself (e.g. Event Action Filters in IPS), and as a last resort make 'Drop Rules' in MARS itself.
For the mitigation, did you add SNMP write access to these devices?
Regards
Farrukh
02-07-2010 07:09 AM
thanks for the reply. i used this command in my devices
snmp-server community ABCD rw
so which means i should be able to mitigate the device?
02-07-2010 08:02 AM
The RW string will take care of it from the device perspective (however as a security best practice I would recommend to add an ACL to that command to restrict SNMP traffic only from the MARS box).
From the MARS side:
> You have to configure this string in MARS
> Make sure all L2 switches are added in MARS
Is MARS showing it as a mitigation device in incidents?
Regards
Farrukh
02-08-2010 12:27 AM
hi thanks for the reply and advices, in my CS-MARS implementation i used telnet, ssh, and snmp access type but still there is no mitigation. i have read that you can mitigate a devices if you are using snmp access type, is it right?
thanks again
02-13-2010 10:23 PM
thanks,i am able to see the mitigation. Now I will just drill down and add all the remaining layer two devices,thanks, your advices are all very helpfull.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide